ZooKeeper Authentication

ZooKeeper supports mutual server-to-server (quorum peer) authentication using SASL (Simple Authentication and Security Layer), which provides a layer around Kerberos authentication.
Server to server authentication among ZooKeeper servers in an ensemble mitigates the risk of spoofing by a rogue server on an unsecured network. For more information about quorum peer authentication
and how the feature leverages ZooKeeper's SASL support, see the Cloudera Engineering Blog post, Hardening Apache ZooKeeper Security.

Requirements

Configuring ZooKeeper to use Kerberos for client-server or server-server authentication requires that your organization's Kerberos instance (MIT Kerberos, Microsoft Active Directory) be
up and running, and reachable by the ZooKeeper server or client during the configuration processes detailed below.

Before enabling mutual authentication, the ZooKeeper servers in the cluster must be configured to authenticate using Kerberos.

Note: Cloudera recommends that you ensure your ZooKeeper ensemble is working properly, before you attempt to integrate Kerberos
authentication.

Configuring ZooKeeper Server for Kerberos Authentication

You can configure the ZooKeeper server for Kerberos authentication in Cloudera Manager.

Using Cloudera Manager to Configure ZooKeeper Server for Kerberos Authentication

To set up the ZooKeeper server for Kerberos authentication in Cloudera Manager, complete the following steps:

In Cloudera Manager, open the ZooKeeper service.

Click the Configuration tab.

Enter Kerberos in the in the Search bar.

Find the Enable Kerberos Authentication property and select the check-box next to the ZooKeeper services that you want to configure for Kerberos
authentication.

Configuring ZooKeeper Client Shell for Kerberos Authentication

In addition to configuring ZooKeeper Server hosts to use Kerberos for authentication, you should also configure the ZooKeeper client shell (the ZooKeeper CLI) to authenticate to the
ZooKeeper service using Kerberos credentials. As with the ZooKeeper Server, you must create a Kerberos principal for the client, as detailed below:

Create a Kerberos principal for the zookeeper-client, zkcli@YOUR-REALM, replacing
YOUR-REALM with the name of your organization's Kerberos realm:

kadmin: addprinc -randkey zkcli@YOUR-REALM

Create a keytab file for the ZooKeeper client shell using the -norandkey option.
Note: Not all versions of kadmin support the -norandkey option, in which case, simply
omit this option from the command. Using the kadmin command without the -norandkey option invalidates previously exported keytabs and
generates a new password.

Verifying the Configuration

After enabling Kerberos authentication and restarting the ZooKeeper cluster, you can verify that the authentication is working correctly by following these steps:

Start the ZooKeeper client, passing to it the name of a ZooKeeper server:

zookeeper-client -server fqdn.example.com:port

From the ZooKeeper CLI, create a protected znode using your ZooKeeper client principal:

create /znode1 znode1data sasl:zkcli@{{YOUR-REALM}}:cdwra

Verify the znode is created and the ACL is set correctly:

getAcl /znode1

The getAcl command returns the znode's scheme and permissions values. Verify that these are as expected.

Enabling Server-Server Mutual Authentication

Support for mutual authentication between ZooKeeper Servers can be enabled through the Cloudera Manager Admin Console. For secured networks, server-to-server authentication is considered
an optional security enhancement, so the capability is disabled by default:

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.